Use the following settings:Figure 1 pfSense IPsec Mobile Client Settings

IKE Extensions: Checked

User Authentication: Local Database

Group Authentication: system

Virtual Address pool: Provide a private IP scope that is not on your LAN. I like to use something in the 172.16.x.x range.

Virtual IPv6 Address Pool: Unchecked

Network List: Unchecked

Save Xauth Password: Unchecked

DNS Default Domain: Checked. Set to domain name of VPN LAN.

Split DNS: Unchecked

DNS Servers: Checked. Input your local DNS server(s)

WINS Servers: Unchecked

Phase2 PFS Group: Unchecked

Login Banner: Unchecked

You may tweak these as needed. For example, you don’t have a local domain or want to provide a login banner to clients that support it.

Click the Save button. Apply the settings and click the + Create Phase 1 button that should appear at the top of the window. If it does not appear, navigate to the Tunnels tab and click the + Add P1 button.

Congrats! You’ve just finished setting up your VPN. Now, how do you get it on your devices? While iOS and macOS offer the option to manually configure IKEv2 VPNs, because of the advanced settings we’ve used (AES-GCM1 and DH Group 20 in particular), we need to use a mobile profile to configure them and load them onto the device. Head on over to Part 3 for instructions!

But what about my non-Apple clients?! While this article is aimed at the configuration of the VPN for iOS and macOS clients, there are ways to make this work for other operating systems. Windows 10, much like iOS and macOS, does have built-in support for IKEv2 VPNs. However, also like iOS and macOS, the security we’ve chosen in this setup requires manual configuration through PowerShell. See the PowerShell Reference here: Set-VpnConnectionIPsecConfiguration Reference. Be mindful that in PowerShell, DH Group 20 is represented by the ECP384 option. I plan on testing this soon and will perhaps do a Part 5 for other clients.

UPDATE: See the comments on Part 4 for a discussion about supporting Windows 10 clients.